* CVE-2021-44716 "net/http: limit growth of header canonicalization cache An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests. For users who cannot immediately update to the new release, setting the GODEBUG=http2server=0 environment variable before calling Serve will disable HTTP/2 unless it was manually configured through the golang.org/x/net/http2 package. This issue is also fixed in golang.org/x/net/http2 v0.0.0-20211209124913-491a49abca63, for users manually configuring HTTP/2. Thank you to murakmii for reporting this issue. This is CVE-2021-44716 and Go issue go.dev/issue/50058." * CVE-2021-44717 "syscall: don’t close fd 0 on ForkExec error When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit. Thank you to Tomasz Maczukin and Kamil Trzciński of GitLab for reporting this issue. This is CVE-2021-44717 and Go issue go.dev/issue/50057."
Please bump to 1.17.5.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f53542dc5c463dab1ea1f3b761cf68fb0b71437 commit 5f53542dc5c463dab1ea1f3b761cf68fb0b71437 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-12-10 22:46:07 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-12-10 22:46:41 +0000 dev-lang/go: 1.17.5 bump Bug: https://bugs.gentoo.org/828655 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 + dev-lang/go/go-1.17.5.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 198 insertions(+)
Please stabilize when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee5f1f74a5ccf445fc871b342fae19bf478a7a48 commit ee5f1f74a5ccf445fc871b342fae19bf478a7a48 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-12-15 15:38:31 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-12-15 15:38:47 +0000 dev-lang/go: remove 1.17.2 and 1.17.3 Bug: https://bugs.gentoo.org/828655 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 2 - dev-lang/go/go-1.17.2.ebuild | 197 ------------------------------------------- dev-lang/go/go-1.17.3.ebuild | 197 ------------------------------------------- 3 files changed, 396 deletions(-)
Thank you!
